Days after a devastating cyber attack on Wired journalist Mat Honan that exposed security flaws in Amazon's and Apple's online services, Amazon has fixed a problem that helped hackers gain control over Honan's online accounts and remotely wipe his iPhone, iPad, and MacBook.

Honan's story in Wired (a sister publication of Ars), is well worth reading. It stands both as an indictment of Apple's and Amazon's security and a warning to users to take extra precautions. Hackers first took advantage of Amazon's user accounts system to view the last four digits of a credit card linked to Honan's Amazon account. They then used that information to trick Apple's support representatives into thinking they were dealing with Honan. Apple employees "gave the hackers a temporary password into Honan’s Apple ID, which the hackers used to wipe his iPhone, iPad and MacBook, and gain access to a number of email accounts as well as his Twitter account," Wired notes in a followup report.

This followup report reveals that Amazon has issued a policy change that fixes the security hole by no longer allowing people to call Amazon and change account settings like credit cards and e-mail addresses. Previously, Amazon's phone policy essentially allowed hackers to use social engineering tricks on support representatives to learn sensitive information about targets like Honan.

As Honan explained, Amazon allowed users to add a credit card number to an account simply by calling Amazon and providing a name, e-mail address, and billing address. After hackers used this method of adding a credit card number to Honan's account, they hung up—and then called Amazon back to claim they'd lost access to the account. At this point, they provided the fake credit card number, convincing Amazon to let them add a new e-mail address to the account. The next step was going to the Amazon website and requesting that a password reset e-mail be sent to that e-mail address. From there, the hackers could view the last four digits of Honan's credit cards on Amazon's website.

With those four digits (and Honan's username and billing address), hackers convinced Apple to send a temporary password that let them take over his iCloud account and wreak all sorts of havoc. "The very four digits that Amazon considers unimportant enough to display in the clear on the Web are precisely the same ones that Apple considers secure enough to perform identity verification," Honan wrote.

Wired discovered Amazon's policy change closing this method of attack today, after failing to replicate the exploits hackers used against Honan. Amazon spokespeople did not confirm the change, but customer service representatives told Wired that the policy changes were sent out this morning to enhance user security.

That still leaves Apple, whose security policies are getting deserved scrutiny in the wake of the Honan attack. Apple blamed the hack on its own policies not being followed.

“Apple takes customer privacy seriously and requires multiple forms of verification before resetting an Apple ID password," Apple told Wired, according to Honan's long analysis of his own hacking. "In this particular case, the customer’s data was compromised by a person who had acquired personal information about the customer. In addition, we found that our own internal policies were not followed completely. We are reviewing all of our processes for resetting account passwords to ensure our customers’ data is protected.”

However, Honan wrote that Apple's tech support confirmed to him—twice—that all that's needed to access someone's Apple ID is "the associated e-mail address, a credit card number, the billing address, and the last four digits of a credit card on file." Wired was also able to replicate the attack by performing it on another account, using the very same methods hackers used against Honan.

Digital security is becoming ever more important as our various accounts, devices, and digital identities are tied to online services, many of which are connected in ways that can be exploited by hackers. There are steps people can take to protect themselves, such as using different credentials for different accounts, making local backups, and disabling certain location services. Sean Gallagher detailed many of the ways in which you can harden your digital security in a post yesterday.

UPDATE: Apple has temporarily frozen over-the-phone password resets while it figures out what to do next.

The article stated that hackers called the customer support and added a cc to the account which was then used to reset the password.I am not sure how i as a customer could prevent this situation from happening. I actually think that it is not my fault at all.

Apple is not known for a secure company, but does it matter? Not really. Its your money not Apples or Amazons. But these companies should have an interest to secure your assets as well, since if it is not safe you may not make business with them anymore.